Description

It’s pretty evident from the recent Microsoft and Solarwinds attacks that cybersecurity is a huge problem as discussed by so many luminary figures. I won’t bore you with the big picture stats on growth in cyber spending since that’s an easy Google search, but the problem in playing this secular trend is just about all the major public cyber companies are trading at multiples that reflect their revenue growth even though their product offerings are a bit of a black box and we have no idea how relevant many of them will be in several years (i.e. the time required to underwrite the multiples on these stocks).

That said, we think Tufin (TUFN) has a valuable product suite where we can understand/assess the value add to current cybersecurity firewalls to give us confidence in their ability to grow revenue in a conservative case at 25%+/year for the foreseeable future. Trading at 3x revenue (or 10x maintenance gross profit) because of a few one-time issues outlined below, TUFN allows us to play cyber with significant downside protection vs. peers. We believe the stock is worth $36, offering 200% upside over the next 2-3 years.

What Does TUFN Do?

TUFN plays in an interesting space within cybersecurity called network security policy management. TUFN manages the many ‘rules’ created through a company’s firewall infrastructure. As companies move from a localized cybersecurity infrastructure (managed in each individual office/city) to a central location, often managed in the cloud, they find that they are integrating tens of thousands of firewall provisioning rules across geographies and providers, a laborious task involving significant manpower. TUFN uses automation/AI to centrally house and integrate all the rules that can be instantly accessed and provisioned, massively reducing network complexity. Put more simply, we do not know from where the attacks may come so a company needs multiple cyber-security tools from different vendors. However, different tools don’t integrate well, so TUFN offers a tool that allows a Chief Security Officer to set up a single rule that works across different vendors/locations. 

Product Overview:

Securetrack/Securechange – Securetrack is TUFN’s flagship product which allows for complete visibility into a company’s network, how it’s configured and all its network device policies, who can talk to whom…etc. Large global enterprises with complex networks are not heterogeneous so they buy network access devices (firewalls) from multiple vendors. Firewalls from Palo Alto, Checkpoint, Cisco…etc can all be integrated and automatically configured through Securetrack. Securetrack is attractive to customers subject to external audits and anyone with an extremely complex network with a ton of rules across multiple firewall vendors in different geographies. In tandem with Securetrack, TUFN also sells Securechange which automates the manual process of firewall rule updates. Securechange allows a single rule to be implemented by a cybersecurity manager across multiple firewalls/locations and with automatic checks against compliance restrictions.

What often happens is a developer works on an app on a certain part of the network, submits a ticket through ServiceNow that goes to the central security team which looks at the change request, whether they should allow the change and whether it conforms with policy. It usually doesn’t conform to a policy so that creates a lot of errors. Then the developer steps in to make the change, which often takes one to two weeks. With TUFN, that change request flows into their software layer, checks it against the defined policy, automatically checks whether the change can happen and if it’s allowed, it gets forwarded on to the security team to make the change or the change can be automated. This reduces the timing from two weeks to ten minutes. As more firewalls are implemented, this whole process gets even more complex, increasing the value of TUFN’s software.

Pricing is about $1,200 per firewall for SecureTrack and $2,400 for both SecureTrack and SecureChange. TUFN is currently in about 16% of the Global 2000 with SecureTrack but in only about half their network so there is room to upsell SecureChange and sell into more firewall devices. Firewalls are also growing at about 15%/year so growth should be in the double digits even without upsell/increased penetration or market share growth.

SecureCloud – TUFN launched their cloud product very recently, in the first quarter of 2020. At a high level, it does what the on-prem product does but in Kubernetes and in public clouds. It maps out the entire cloud network and sees how all products within the cloud work together. Admins in AWS/Azure/Google Cloud get alerts from the security team through the development operations people which automates the whole process, similar to SecureTrack/SecureChange, on-premise.

After reading this far, not sure if people think this is an opportunity or if it’s still a bit esoteric so I’m including below some excerpts from expert transcripts that should help to continue framing the product/opportunity.

Expert Call Excerpts

Expert: How does the problem manifest itself? This is something you probably hear about in pretty much every technology out there. There's a lack of skills in the marketplace for the plethora, I don't use that word often, of tools that are out there and the pure volume of information generated by these different tools. It's tremendous. It's significant enough that you need a specialist in each different product you have in order to use them to even half of the abilities that they deliver.

Expert: The problem starts off by having a lack of skills. Really, I have a security issue to solve. I don't have the resources, whether it's budget or people or both, to address my security needs because at the end of the day, this is a security play. It's not a lack of people play. The idea is that regardless of what hardware you have out there, you have this, I'm going to call it, an independent pane of glass that makes you monitor, which would be SecureTrack, and then manage, which is SecureChange, your security policy.

Expert: Instead of addressing the firewalls as an individual device is with their rule basis and anti-spoofing policies and VPN policies and things like that, instead of having to know all that stuff, what SecureChange will do for you is it will give you the 80% of the work that is done all the time.

Expert: The bulk of the work was done by these security policy administrators. It will take care of it automatically for you. You will find the policy in any changes, in any guidelines or any compliance requirements you have. When somebody then decides that we need to add, let's say, some new servers into the PCI zone, those new servers will comply with PCI and they'll fit within the corporate policy just by telling security we've added a bunch of new servers in here.

Expert: It means I don't have to care what the underlying infrastructure is. If I have a Cisco in there or a Palo Alto or a Juniper or Check Point or multiple devices, it doesn't matter to me anymore. I don't need an expert in each of those. I have a tool that will take care of all the bulk of my configuration of security for me without me having to dive under the covers and have the deep investment in people that would normally be required for this.

Expert: There's a piece called SecureApp, which goes on top of SecureChange, which is, to be honest, pretty much ubiquitous. They're almost merged into the same. In Tufin, we understood that people aren't necessarily managing security anymore but they're really managing access to applications because your applications are your business. That's the blood that flows through the business. I need to make sure that all the applications are available but at the same time, I don't want it to be exposed to malicious players out there.

Expert: We actually took, I'm going to say, a different view, another view and attacked it from the application layer and let you set your policies out based on who should be able to access applications and how they should access them. We define that in a similar UI to SecureChange. You actually have the policies rolled out for you and maintained for you, I'm going to say, in real-time because if someone was to manually change the device on the fly, the SecureTrack piece would monitor that, find that it had been changed and it's no longer compliant, and Change would say, "You need to make a change here," or SecureApp would say, "Hey, this application is no longer accessible," and would open a ticket in SecureChange for either manual or automated renovation.

Expert: It's basically moving away from the management tools that are available per vendor and bringing the single tool that lets you manage all the different vendors out there, regardless of what they are.

Where we found the correct target audience, was CISO who managed both network and security, which by the way began to merge during our time at Tufin as well. When we find the right people, you talk to the CISO and you say, "We put SecureTrack. It does this. Last year, your team cleaned up 35,000 firewall rules." He says, "Wow, that's amazing." You tell them, "Did you know that we have a tool here called SecureChange and SecureApp that they can just take away all that manual effort? You don't have to worry about anymore." The CISO says, "Why am I not using that?" Where we sat, the approach was 100% what the market was looking for. It's just that the market hadn't yet jumped and said, "We're ready to adopt this and implement this and work like this."

The customers, first of all, they love the whole idea of automation. They love the idea, much like I love ice cream but it's bad for me. They love the product. They would get SecureTrack in there because that's the easy piece. You can see value within, I would say, 30 minutes. We've got it faster. I've been in POCs where within the first five minutes, we showed the guys that they had some weird stuff in their security policy that was actually not doing what they said it was doing. They were, "Oh, wow."

Expert: Generally, within 30 minutes, you get value from Track. It's very easy for the people we were working with, which were the firewall system operations and the firewall managers, sometimes their network teams, just to get bogged down in all the detail. "Great. I can now run this firewall cleanup project," or, "I have a PCI compliance project. I'm going to use Tufin SecureTrack to make sure I meet my compliance guidelines. I'm not going to touch Change. I'm not going to touch SecureApp because I've got enough work here and I don't have the time to look into that."

Analyst: How about just the shift to companies going to AWS or something like that? Does that eliminate a customer for you? Is the cloud a benefit or is the cloud a threat?

Expert: It's a benefit. It's another opportunity. Actually, about a year ago or maybe more, two years ago, people didn't understand getting your security in general at all. Not just leaky S3 buckets but most of the devices put up on Amazon were just wide open to the internet, most of the virtual systems.

Expert: One of the benefits of having Tufin there with your security policy was seeing, my ERP application is now in this AWS zone. Apply the security policy now for ERP into that zone too. That would actually take care of the security element for the AWS piece too so it was an opportunity. There was, I'm going to say, a lot of people who really didn't know what they're doing with AWS. That was when the DevOps and SecOps were arriving up. DevOps was doing whatever they wanted and security guys were pulling their hair out because they had no control. Now, there's control in place.

I have a suspicion that it will be acquired in the next five years is my guess. The market is big enough to continue to putter along, to move along slowly and nicely unless there's something major that occurs or some other major new technology. Cloud computing was a massive shift and it opened up a lot of opportunity but we didn't expand exponentially in the cloud which is why I think that cloud was an opportunity. Either we didn't take it yet, it might still happen although I am not sure it will, or perhaps someone like HP or IBM or even Computer Associates will want a Tufin-like product in their portfolio. That's what I think might happen next five years.

Former Information Security Generalist Manager at PwC

So that's kind of what we are. We have a dedicated team that does nothing but implement firewall rules all day, every day. But unfortunately, because of the way the infrastructure is changing and I'm going somewhere with this point. I'm going to explain here in a second. Because of the way of infrastructure is changing, the way we're collapsing the kingdoms into one centralized management team and one centralized management solution, a lot of times, when these guys make firewall changes, that's in request to some application developer or some need to get something to work. I'm sure you know how that works or how that is. And these guys will make the changes as best they can. But a lot of times, they have limited visibility. So they're unable to account for some DMZ in a new territory or some firewall into some guy's desk or firewall that basically nobody knew about. And I wanted to make mention of that because every one of these guys are having this problem every day, every change. So they'll make the change, they'll think it's complete. And they'll submit it and the application doesn't work, or maybe it works today and doesn't work tomorrow, or maybe don't work in every aspect the way it should. This is the very reason the company decided to go with Tufin, because Tufin has the ability to give you visibility over your enterprise. And in a lot of ways, you can map the change before you make it, so you can make a more inclusive change. You can be aware of all the paths and all of the changes, all devices that these changes need to be made on. Does that make sense?

What it can eliminate is we were trying to eliminate some of the low level redundant requests. So we automatically know that if somebody is standing up a new website, that HTTP needs to be allowed, HTTPS needs to be allowed. And some other things like that. Some of those low level requests should easily be automated, and that was our objective. Now as far as for consolidating management this is the piece that's going to need some explanation. Tufin can be a very effective tool for a less complicated environment. So part 1 of the question, did it reduce the complexity of our environment? No. Not at all. But that's because we have every flavor of firewall imaginable. And if you're familiar, you'll understand that the various technologies don't play well together. Some, far worse than others. Very difficult to get them to manage each other together. So in an effort to get that to work, what they've done is they've leveraged the Panorama solution, which is Palo Alto's management solution. Panorama will automatically update any or onboard any Palo Alto device. But Panorama also allows you to add or edit additional devices. So you can put a Check Point device on a Palo Alto solution on the Panorama solution and several other devices like that. And once we can get those devices on the Panorama management solution, all of that information is easily ported over to Tufin. And that's the way they use Tufin. However, again, that does not lessen the complexity of these solutions playing well together. What that does is that gives Tufin visibility into all of these firewalls. So now, when you run the process map through Tufin, you can see where your firewalls are. So if you make a change, and that change should only affect one region, you know exactly which firewall should be affected. It’s not perfect.

Tufin is the only technology that can push changes to all devices. But it was an extremely good investment, or could be an extremely good investment, if realized. So if you can imagine, again, what has taken place, you've gone from, I don't know, 300 different IT offices to 1. So at one point, there is a firewall administrator in Italy, 1 in France, 1 in the Congo, all over. And today, they're all in Florida. And these people in Florida have to manage every brand, every Ford, Nissan, Jaguar, every type imaginable, if you get what I'm saying.

There’s a lot more you can glean through expert calls but hopefully, the excerpts above offer some more context around what exactly Tufin does and why there’s a need for their product.

Why Does the Opportunity Exist?

Perpetual License Model – TUFN has operated under a perpetual license model since selling the upfront license allowed management to bootstrap the business to generate breakeven cash flows early on to limit dilution from venture financing. With COVID, TUFN’s salesforce could not gain much traction with new customers, hence the market dubbed TUFN a ‘COVID loser’ and it did not participate in the rotation into software stocks in 2020 since they continually missed and guided perpetual license revenue down.

Shift to SAAS Model – Adding insult to injury, even though TUFN pre-announced Q4 2020 with a beat, when they reported their Q4 2020 earnings, they outlined a shift from perpetual license to a subscription-based model. Like all SAAS transitions, this caused them to guide down 2021 revenue (since perpetual license revenue recognized upfront would shift to subscription sales), unfortunately, at a time where their business model is still proving itself out and after a very rocky 2020.

However, while the subscription revenue transition will take some time, we are confident that this is management team is extremely technically savvy and we see significant growth in product as security networks become more complex. Moreover, like so many other SAAS transitions, the flexibility of pricing should allow prospective customers to test the product at a smaller scale (vs. buying a perpetual license upfront), accelerating revenue growth.

Valuation:

Downside Protection – Very simplistically, TUFN generated about $62m in maintenance and professional services revenue in 2020 under the perpetual license model at a 75% gross margin. In an acquisition scenario, today, assuming a buyer paid 10x maintenance/professional services gross profit, they would buy the company at $12.90/share, offering downside protection and not factoring in continued double digit revenue growth given the nascent product penetration.

Given the COVID volatility, shift to subscription model and overall newness of the product, it’s tough to calculate LTV/CAC along with ascribing a near-term revenue multiple to the business. However, at 3x EV/Revenue vs. FTNT/PANW/OKTA/ZS/NET trading at 10-35x sales, as the model works and TUFN posts steady and consistent revenue growth, the revenue multiple should at least double, along with 20%+ revenue growth.

Price Target – At about a 25% revenue CAGR, TUFN would do just over $300m in revenue in 2025. A 5x revenue multiple would mean a $42 stock price (250% upside). Put another way, assuming 85% gross margins, based on the old perpetual license model, if we were to assume a 50/50 gross profit split between perpetual license and maintenance/service gross profit, at 10x price to maintenance gross profit, the stock would rally to $36 (200% upside).

While this isn’t as precise as a DCF or free cash flow yield based valuation, I think looking at price to recurring gross profit offers a proxy for the value of the business while the shift to a subscription model likely lowers the discount rate even further. 

Catalyst

A smooth shift to subscription model and continued revenue growth to prove the model to the market